Compromised ultralytics PyPI package delivers crypto coinminer

Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software security headlines from around the world, curated by the team at ReversingLabs .

This week: RL researchers discovered a malicious version update of the popular package ultralytics that was used to deploy a crypto miner, with the potential to deploy other malware strains as well. Also: A new report sheds light on the security risks still persistent in the open source ecosystem.?

This Week’s Top Story

Compromised ultralytics PyPI package delivers crypto coinminer

ReversingLabs threat researchers discovered that a compromised build environment led to a malicious deployment of a popular AI library, which had the potential of delivering other malware strains. The package, a malicious version (8.3.41) of the popular AI library ultralytics – which has almost 60 million downloads –? was published to the Python Package Index (PyPI) on December 4. It consisted of code that would download a coinminer known as XMRig onto the victim’s environment. Researchers assert that the threat actor abused a previously known and reported GitHub Actions Script Injection in order to compromise the project’s build environment.

There were several red flags in this incident that caught researchers’ attention. Similarly to a recent attack RL researchers discovered regarding a malicious version update to the package aiopca, the content in the GitHub repository didn’t match the content of the matching ultralytics PyPI package. Therefore, malicious actors managed to compromise the build environment related to the mentioned project and injected the malicious code after the code review part of the process was finished. Also concerning: The project’s maintainers didn’t properly locate the compromise of the build environment. They then prematurely released an update to solve for the incident on December 5, but the update still contained the same malicious code due to this oversight by maintainers.???

Upon detection of the overlooked malicious code, a new version was published by maintainers later in the day on December 5 that officially resolved the supply chain attack from occurring further. This compromise of ultralytics had the potential to become one of the biggest open source software supply chain attacks to date, since the package has millions of downloads on PyPI and its GitHub project has more than 30,000 stars.??

Exploiting GitHub Actions Script Injection is a sophisticated attack technique, and was first spotted by security researcher Adnan Khan . In this attack scenario, a threat actor can create a fork of any repository that uses ultralytics/actions, and by crafting a pull request from a branch that has injection payload code in its title, they can achieve arbitrary code execution.??

Using RL Spectra Assure, researchers conducted a differential analysis of two package versions for ultralytics (non-malicious version 8.3.40 and malicious version 8.3.41) in order to identify how the threat actor pulled off the attack. For this specific incident, researchers assert that the malicious code was inserted into files downloads.py and model.py in order to deploy XMRig, so that attackers could mine victims’ cryptocurrency.?

(RL Blog)

This Week’s Headlines

New report: Security risks persist in open source ecosystem

A new report by the Linux Foundation, OpenSSF and Harvard University titled The CENSUS III project has yielded insights into the significant security risks that continue to be prevalent in open source software practices. The project was based on 12 million observations of free and open source software (FOSS) libraries used in production apps at over 10,000 companies across different industries. Continued problems highlighted by the report include a lack of standardization in the naming scheme of software components, heavy reliance on individual developer accounts, and the prevalence of legacy software in the OSS ecosystem.?

Most concerning are the report’s findings regarding how few maintainers there are for such projects: “In the year 2023, 17% of projects had one developer accounting for more than 80% of commits authored while 40% of projects had only one or two developers accounting for more than 80% of commits authored.” This presents a major security risk since threat actors can take advantage of these under-staffed projects, and the project estimates that up to 96% of companies’ codebases use FOSS. (Infosecurity Magazine)

Researchers uncover flaws in popular ML frameworks

JFrog researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. Last month, JFrog released a set of vulnerabilities also impacting open-source ML tools, but on the server-side. The newly shared flaws allow for exploitation of ML clients, residing in libraries that handle safe model formats. Researchers said that the exploitation of an organization’s ML clients “can allow the attackers to perform extensive lateral movement within the organization." This kind of attack would expose sensitive information such as model registry credentials, which could then grant the threat actor access to backdoor-stored ML models, or allow them to achieve code execution. (The Hacker News)

Mitel MiCollab VoIP authentication bypass opens attack paths

Researchers at watchTowr released a proof-of-concept exploit for a path traversal flaw in the Mitel MiCollab enterprise VoIP platform that, when coupled with an arbitrary file read issue, can give attackers access to protected files, among other possible attack paths. In May, researchers found the flaw while trying to replicate a different vulnerability that Mitel patched at the time (CVE-2024-35286). The new issue they found is a path traversal that leads to authentication bypass and affects MiCollab 9.8 SP1 FP2 (9.8.1.201) and earlier. While the path traversal was patched in October with v.9.8.2.12, researchers have now released a proof-of-concept flaw that can be leveraged to exploit a yet-unpatched arbitrary file read issue to access sensitive files from the underlying OS.

Researchers cited that the path traversal issue opened a much larger attack surface, as any one of those servlets that could now be accessed without authentication could have vulnerabilities or sensitive functionalities that could be abused. Further analysis revealed that one servlet, ReconcileWizard, used for viewing or saving system reports, is vulnerable to path traversal, allowing a user to request any arbitrary file from the system that could lead to sensitive information disclosure. (CSO)

Is open source a threat to national security?

Open source software (OSS) is a lifesaver for startups and enterprises alike as they attempt to deliver value to customers faster. However, the very nature of OSS leaves it open to poisoning by bad actors. Christopher Robinson, chief security architect at OpenSSF, shared that “open source AI and software can present serious national security risks – particularly as critical infrastructure increasingly relies on them.” However, Robinson also pointed out that OSS isn’t the only attack vector threat actors are looking to exploit: “While open source technology fosters rapid innovation, it doesn’t inherently have more vulnerabilities than closed-source software.” The transparency between the two different kinds of software is telling, with open source flaws and threats almost always publicly disclosed when discovered. Meanwhile, issues found in closed-sourced components are not usually shared with the public. (Information Week)

For more insights on software supply chain security, see RL Blog.?

The Best of RL

Blog | .Net Devs Can Now Vet NuGet Packages with the Spectra Assure Community

Spectra Assure Community's search interface allows software development teams to quickly assess risk before choosing or updating open source NuGet packages (for free). [Read It Here]

Webinar | Lessons from SEC’s Crackdown on Software Transparency

December 12 at 12 pm ET

The SEC recently filed suit against four companies affected by the 2020 attack on SolarWinds. Join David Hirsch , a former SEC Enforcement Officer, and RL’s CTrO Sa?a Zdjelar for a discussion about the lessons from these actions on public companies, and what it means for everyone else. [Register Here]?

Forrester Exclusive | Redesigning Third-Party Cyber Risk Management

LIVE ONLY - December 18 at 3:30pm ET

According to Forrester ’s Business Risk Survey, 48% of enterprise risk decision-makers reported that risk has increased in the past 12 months; 25% attributed it to increasing reliance on third parties. Alla Valente , Senior Analyst with Forrester and RL’s Jasmine Noel will explore the challenges of siloed risk management, the risks associated with third-party software, and how evolving regulatory landscapes demand continuous risk monitoring. [Register Here]?

For more great conversations to watch, see RL’s on-demand webinar library.?